Re: [squid-users] How Bad is CONNECT and Should I Prevent It?

From: Alex Rousskov <rousskov@dont-contact.us>
Date: Thu, 21 Jun 2007 09:12:15 -0600

On Tue, 2007-06-19 at 16:13 -0500, K K wrote:

> ICAP doesn't support MITM "CONNECT" tunnel handling, though some ICAP
> clients will forward the connect "URL" to an ICAP service to be
> approved or denied, the ICAP standard doesn't allow for looking inside
> the SSL/TLS conversation.

I do not think ICAP, as a protocol, prohibits CONNECT or any other HTTP
request method handling. An ICAP server can be written to inspect,
block, and even adapt CONNECT headers and data streams.

Whether a given proxy and a given ICAP server implementation can do
something intelligent about CONNECT tunnels is a separate question. If
there is enough demand, I am sure Squid will support ICAP-based
inspection and selective blocking of CONNECT traffic.

Alex.
Received on Thu Jun 21 2007 - 09:12:26 MDT

This archive was generated by hypermail pre-2.1.9 : Sun Jul 01 2007 - 12:00:04 MDT